Unquoted path or search item vulnerability in SugarSync

Posted date 03/05/2024
4 - High
Affected Resources

SugarSync, versions lower than 4.1.3.


INCIBE has coordinated the publication of a high severity vulnerability affecting SugarSync Inc, a cloud-based document storage and synchronization service, in versions lower than 4.1.3, which has been discovered by Jorge Manuel Lozano Gómez.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-4461: 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-428.

There is no reported solution at this time.


CVE-2024-4461: unquoted path or search item vulnerability in SugarSync versions prior to 4.1.3 for Windows. This misconfiguration could allow an unauthorized local user to inject arbitrary code into the unquoted service path, resulting in privilege escalation.

References list